RFR JDK-8239595/JDK-8239594 : ssl context version is not respected/jdk.tls.client.protocols is not respected
Chris Hegarty
chris.hegarty at oracle.com
Fri Mar 27 12:52:40 UTC 2020
Xuelei,
Before commenting further on the interaction of the HTTP Client with various contorted configurations, I would like to get a better understanding of the `jdk.tls.client.protocols` property.
Is there a specification or other documentation describing `jdk.tls.client.protocols` ?
It is my understanding that the property only affects the *default* protocol’s ( not the supported protocols ) of the *default* context. That is, the context returned by `SSLContext.getInstance("Default”)`, and the protocol values returned by the following invocation on that context `getDefaultSSLParameters().getProtocols()`. Is this correct? If not, what does it do?
-Chris.
> On 26 Mar 2020, at 16:58, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>
> With this update, the logic looks like: if TLSv1.3 is not enabled in the SSLContext, use TLSv1.2 instead; Otherwise, use TLSv1.3 and TLSv1.2.
>
> There may be a couple of issues:
> 1. TLSv1.2 may be not enabled, although TLSv1.3 is enabled.
> For example:
> System.setProperty("jdk.tls.client.protocols", "TLSv1.3")
> System.setProperty("jdk.tls.client.protocols", "TLSv1.1, TLSv1.0")
>
> 2. TLSv1.2 may be not supported in the SSLContext.
> For example:
> SSLContext context = SSLContext.getInstance("DTLS");
> HttpClient.newBuilder().sslContext(context)...
>
> 3. The application may not want to use TLS 1.2.
> For example:
> System.setProperty("jdk.tls.client.protocols", "TLSv1.1, TLSv1.0")
>
> The System property may be shared by code other than httpclient. So the setting may not consider the impact on httpclient.
>
> I may use enabled protocols only. If no TLSv1.2/TLSv1.3, I may use an empty protocol array, and test to see what happens in the httpclient implementation stack.
>
> Xuelei
>
> On 3/26/2020 9:28 AM, Sean Mullan wrote:
>> Cross-posting to security-dev as this involves TLS/SSL configuration.
>> --Sean
>> On 3/26/20 10:02 AM, rahul.r.yadav at oracle.com wrote:
>>> Hello,
>>>
>>> Request to have my fix reviewed for issues:
>>>
>>> JDK-8239595 : ssl context version is not respected
>>> JDK-8239594 : jdk.tls.client.protocols is not respected
>>>
>>> The fix updates jdk.internal.net.http.HttpClientImpl.getDefaultParams(SSLContext ctx)
>>> to use ctx.getDefaultSSLParameters()instead of ctx.getSupportedSSLParameters(),
>>> as the latter does not respect the context parameters set by the user.
>>>
>>> Issue: https://bugs.openjdk.java.net/browse/JDK-8239595
>>> Issue: https://bugs.openjdk.java.net/browse/JDK-8239594
>>>
>>> Webrev: http://cr.openjdk.java.net/~jboes/rayayada/webrevs/8239595/webrev.00/
>>>
>>> -- Rahul
More information about the security-dev
mailing list